Universal circuit for secure function evaluation

ABSTRACT

An exemplary method enables implementation of a universal circuit capable of emulating each gate of a circuit designed to calculate a function. A first selection module receives inputs associated with the function. It generates outputs that are an ordered series of the inputs. A universal module receives these outputs and generates another set of outputs. A second selection module receives the outputs from the universal module and generates final function outputs that are an ordered series inputs received from the universal module. The selection modules and universal module themselves are also aspects of the present invention.

CROSS REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. Provisional Application Ser.No. 61/004,712 filed Nov. 29, 2007, and entitled Secure Evaluation ofPrivate Functions; it is incorporated herein.

BACKGROUND

This invention relates to secure function evaluation (SFE) of privatefunctions and more specifically to universal circuits that simulatecircuits of a known size that are capable of implementing SFE of privatefunctions.

A need for a SFE of a two party function is illustrated as follows. Boband Pat have respective inputs x and y that each desires to keep privatefrom the other while calculating a function ƒ (x, y) having an outputthat is to be disclosed to both. An implementation of generic two-partySFE is disclosed in “Fairplay—a secure two-party computation system”, D.Malkhi, N. Nisan, B. Pinkas, and Y. Sella, In USENIX, 2004. A need for aSFE of a two party private function is illustrated as follows. Bob andPat have respective inputs x and y that each desires to keep privatefrom the other while calculating a function ƒ (x, y), known only to Pat,having an output that is to be disclosed to both.

SUMMARY

An exemplary method enables implementation of a universal circuitcapable of emulating each gate of a circuit designed to calculate afunction. A first selection module receives inputs associated with thefunction. It generates outputs that are an ordered series of the inputs.A universal module receives these outputs and generates another set ofoutputs. A second selection module receives the outputs from theuniversal module and generates final function outputs that are anordered series inputs received from the universal module.

The methods for implementing the selection modules and universal modulethemselves are also aspects of the present invention.

DESCRIPTION OF THE DRAWINGS

Features of exemplary implementations of the invention will becomeapparent from the description, the claims, and the accompanying drawingsin which:

FIG. 1 is a block diagram of a universal circuit suited forincorporation of an embodiment of the present invention.

FIG. 2 is a block diagram of a recursive universal block in accordancewith an exemplary embodiment of the present invention.

FIG. 3 is a block diagram of an exemplary mixing block as shown in FIG.2.

FIG. 4 is a block diagram of a known programmable permutation block.

FIG. 5 is a block diagram of an exemplary selection block that includesan expanded permutation block.

FIG. 6 is a block diagram of an exemplary selection block that includesa truncated permutation block.

FIG. 7 is a block diagram of another exemplary selection blockrepresenting an optimization the selection block of FIG. 5.

FIG. 8 is a block diagram of an exemplary computing system suited forimplementing universal circuits in accordance with the presentinvention.

DETAILED DESCRIPTION

One aspect of the present invention resides in the recognition of thedifficulties associated with a desire in some situations to keep thefunction itself secret and known only to one of the two parties. Forexample, credit evaluations, medical history checking and airport no-flychecking are types of functions in which it is desired that the functionitself not be disclosed to one party, e.g. the party being evaluated, inorder to prevent the parameters and weightings of the parameters frombeing disclosed. Keeping the function itself secret aids in preventingdishonest/malicious participants from attempting to exploitvulnerabilities in the calculation of the function/process, e.g. wherethe participant intentionally gives false information in order toattempt to achieve a desired outcome by the function. It is an objectiveof embodiments of the present invention to keep the function itselfsecret from one party. That is, the only information the one party willhave access to about the function is the number of inputs and outputs,and size of the circuit implementing the function. The other party, i.e.the party with knowledge of the function itself, or that party'srepresentative is responsible for programming the blocks (modules) ofthe universal circuit so that the desired function is executed.

By using a Universal Circuit (UC) instead of a function specificcircuit, the function itself cannot be ascertained by observation of theUC prior to the UC being programmed to perform a desired function. A UCcan be thought of as a “program execution circuit”, capable ofsimulating any circuit C of certain size, given the description of C asinput. Therefore, disclosing the unprogrammed UC does not revealanything about C, except its size. A UC can compute a specific functionwhile the specific circuit C remains private, since the player holding Csimply treats the description (program defining the circuit to beemulated by the UC) of C as additional (private) input to the SFE of theUC.

The UC construction described herein directly results in improvements ofprivate function SFE for many practical private functions of interest.Due to the size of UC constructions, the private function SFE ispractical from a cost basis only for small circuits (UC for 5000-gatecircuits has a size 10⁶, pushing the general SFE size limit). Therefore,improvements of circuit representation for a UC are particularlyrelevant for small circuits.

The UC described herein is advantageous in that it can be substantiallysmaller in size for circuits having approximately 5000 or fewer gates ascompared with the construction of Valiant's UC; see Leslie G. Valiant,“Universal circuits (preliminary report)”, In Proc. 8th ACM Symp. onTheory of Computing, pages 196-203, New York, N.Y., USA, 1976, ACMPress. UCs of the present invention have a size of approximately 1.5 klog²(k) where k is the number of gates. This should be contrasted withthe Valiant construction of a UC which has an approximate size of 19 klog(k).

FIG. 1 shows an exemplary universal circuit (UC) 20 that receives inputs22 (in₁ . . . in_(u)) and generates outputs 24 (out₁ . . . out_(v)). Theinputs are selected by a selection block 26, and processed by universalblock 28 to produce outputs that are further selected by selection block30 to generate the outputs 24.

In the exemplary UC construction, each gate G_(i) of an original circuitC to be simulated is simulated by UC_(u,v,k)—a UC for k-gate circuits ofu inputs and v outputs. That is, for each G_(i), UC_(u,v,k) has acorresponding programmable G_(i)-simulation gate G_(i) ^(Sim). In thisconstruction, the inputs, outputs and semantics of G_(i) ^(sim)correspond to G_(i). Additionally, the wiring of C is hidden by ensuringthat every possible wiring can be implemented in UC_(u,v,k). This methodof construction of a UC is also employed by the Valiant construction.

The exemplary UC construction is designed recursively, meaning that acircuit is built from two circuits of smaller size. The universal blockU_(k) 28 can be viewed as a UC with specific input and output semantics.Namely, U_(k) has 2k inputs and k outputs, since this is a maximumUC_(u,v,k) can have. Further, we restrict that U_(k)'s inputs in_(2i−1),in_(2i) are only delivered to the simulation gate G_(i) ^(Sim), andU_(k)'s i-th output comes from G_(i) ^(Sim). However, input of somegates G_(i) may come from any other gates' outputs, and not fromin_(2i-1) or in_(2i), which may not be used at all; this is supported byU_(k) which only restricts that G_(i)'s input cannot come from otherin_(j). U_(k) is thus a UC for the class of circuits of size k with theabove input/output restrictions.

To construct a UC_(u,v,k) given an implementation of U_(k), the inputselection block 26 directs inputs 22 of the UC as an ordered arrangement(series) to the proper corresponding inputs of the U_(k). The outputselection block 30 directs the outputs from U_(k) (inputs to block 30)as an ordered series to the proper outputs 24 of the UC, discardingunused outputs.

FIG. 2 is a block diagram of a recursive universal block in accordancewith an exemplary embodiment of the present invention. It is constructedusing a “divide and conquer” approach by which a universal block U_(k)28 can be constructed to simulate any circuit C_(k) of size k, with theproper input/output restrictions stated above. The gates of circuitC_(k) to be simulated are referred to by their index. The set of inputs40 to U_(k) 28 are divided into first and second sets, in₁ . . . in_(k)and in_(k+1), . . . in_(2k). The first set of inputs 40 are processed byuniversal block 46 and sent as a first set of outputs 42 (out₁, . . . ,out_(k/2)) and also form inputs to selection block 48. A mixing block 50mixes the outputs from universal block 46 with the second set of inputs(in_(k+1), . . . , in_(2k)) to produce outputs coupled to universalblock 52 that in turn processes these inputs to produce the second setof outputs 44 (out_(k/2+1), . . . , out_(k)).

A topological order of gates G₁, . . . , G_(k) is selected so that thei-th gate G_(i) has no inputs that are outputs of a successive gateG_(j), where j>i. This ordering can always be obtained since onlyacyclic circuits are considered.

Now, suppose there are two blocks U_(k/2), universal for circuitsC_(k/2) of size k/2 and it is desired to combine them to obtain U_(k).Clearly, because of their universality, one of U_(k/2) could simulatethe “upper” half of C_(k) (i.e. gates G₁ through G_(k/2)), and the otherU_(k/2) could simulate the lower half (gates G_(k/2+1), . . . , G_(k)).Note, that because of the topological ordering, there is no data goinginto the upper U_(k/2) from the lower one. Thus, U_(k) must only directits inputs/outputs and allow implementation of all possible data pathsfrom the upper U k/2 to the lower one. This can be done as shown on FIG.2. This is described in more detail below.

The first k inputs 40 to U_(k) in₁, . . . , in_(k) are directly sent tothe upper U_(k/2). The order of the inputs matches the interfaceperfectly, so no additional manipulation is required. The k/2 outputs ofthe upper universal block 46 U_(k/2) are sent directly to the first halfof the outputs 42 of U_(k). Again, interfaces match, and no manipulationis required.

Now it is described how the inputs to the lower universal block 52U_(k/2) are provided. These inputs could come from any G_(i) ^(Sim) gateof the upper U_(k/2). Therefore, the outputs 42 of upper U_(k/2) arealso wired as an input to selection block 48 S_(k) ^(k/2). This allowsdirection, with duplicates, of the output of any gate of upper U_(k/2)to any position of the input interface of lower U_(k/2) (and thus to anygate of lower U_(k/2)). Additionally, the universal block 52 inputs cancome from the second set of U_(k) inputs in_(k+1), . . . , in_(2k) viathe mixing block 50. Since the universal block 52 U_(k/2) simulatesgates G_(k/2+1) through G_(k) of C_(k), inputs in_(k+1), . . . in_(2k)are already ordered to match lower U_(k/2)'S interface. For each inputto the universal block 52 U_(k/2), the input is selected by the mixingblock 50 to be one of the two available input wires: one provided byuniversal block 46 via selection block 48, and the other coming from thesecond set of inputs in_(k+1), . . . , in_(2k). This is achieved foreach input to universal block 52 by a corresponding programmable Yswitch.

FIG. 3 shows the mixing block 50 having k of the Y switches 64 withinputs 60 and outputs 62. Each Y switch is programmed to select one oftwo inputs in₁, in₁ ¹, . . . , in_(k) ⁰, in_(k) ¹ to be transferred toits output.

In accordance with the above, efficient methods of programming the UCare obtained, given a circuit C_(k). If the first input of a gate G_(j)in the lower half of C_(k) (k/2<j≦k) is connected to an input of C_(k),the mixing block 50 is programmed to select the corresponding inputin_(2j−1) (resp. in_(2j)) of U_(k) by programming Y_(2j−k−1) (resp.Y_(2j−k)) of mixing block 50 correspondingly. Otherwise, if G_(j) isconnected to an output of a gate G_(i) in the upper half of C_(k)(1≦i≦k/2), the mixing block 50 and selection block 48 are programmed toselect the corresponding output from the upper U_(k/2) block byprogramming Y_(2j−k−1) (resp. Y_(2j−k)) correspondingly and programmingselection block 48 with σ_(2j−k−1)=i (resp. σ_(2j−k)=i).

FIG. 4 shows a previously known permutation block 70 P_(v) ^(u) that canbe programmed to generate outputs that are any permutation of itsinputs. In this example where u=v, pairs of inputs in₁, in₂; . . . ;in_(u−1), in_(u) are switched by X programmable switching blocks 72 thateither routes the inputs straight through to corresponding outputs orcauses the inputs to be crisscrossed to opposing outputs. One output ofeach block 72 is coupled to permutation matrix 74 and the other outputis coupled to the other permutation matrix 76. Thus each permutationmatrix handles a u/2×u/2 set of the u×u total. Pairs of outputs out₁,out₂; . . . ; out_(v−1), out_(v) are switched by X programmableswitching blocks 78 that either routes the inputs straight through tocorresponding final outputs or causes the inputs to be crisscrossed toopposing outputs. One input of each block 78 is coupled to permutationmatrix 74 and the other input is coupled to the other permutation matrix76. Block 70 can cause a set of inputs 1−u to be permutated into anydesired order of outputs 1−v. For more details about permutation blocks,see Abraham Waksman, “A permutation network”, J. ADM, 15(1): 159-163,1968.

FIG. 5 shows a selection block 80 S_(v≧u) ^(u) that incorporates anexpanded permutation block 82 EP_(v≧u) ^(u), Y switching blocks 84, anda permutation block 86 P_(v) ^(v). This selection block 80 is suited foruse as selection block 26 of UC 20. The expanded permutation block 82permutes the u inputs to a subset of u of the v≧u outputs. The remaining(v−u) outputs are allowed to obtain any input value since these areintended to be later discarded, i.e. these are dummy outputs. An inputmapping, expressed as a u×v matrix, specifies that the i-th input shouldbe mapped to the μ_(i)-th distinct output. The expanded permutationblock 82 computes EP(in₁, . . . , in_(u))=(out₁, . . . , out_(v)) where(out_(s)=in_(v))←→(μ_(r)=s), s is in the set of {1, . . . , v}, r is inthe set of {1, . . . , u}.

Each output of block 82, except for the 1^(st) output which is coupleddirectly as an input to block 86, is coupled as one input of one of therespective Y switches 84. The other input to the Y switches is connectedto the output of the preceding Y switch (viewed from left to right inFIG. 5). There are (v−1) of the Y switches. The output of each Y switchis coupled as an input to permutation block 86 P_(v) ^(v).

To program selection block 80, first count the frequency of occurrencec_(j) of each input value in the output: c_(j)=#{σ_(i): σ_(i)=j; i is inthe set of {1 . . . v}}; j is in the set of {1, . . . u}. Note,0≦c_(j)≦v and Σ_(j=1) ^(u)c_(j)=v. The expanded permutation block 82 isprogrammed to:

1. map the needed inputs (c_(j)≠0) to its (Σ_(k=1) ^(j−1))-th output and

2. map the unused inputs (c_(j)=0) to an unused (dummy) output.

The Y switches enable the outputs of block 82 to be duplicated as inputsas necessary to the permutation block 86. If the right input of a Yblock is a needed output, then the Y block selects it as its outputwhich enables the next right Y switch to duplicate it as an output toblock 86 if desired. Otherwise, the output of the left-neighbor Y blockis selected. For each j, this construction inputs c_(j) copies of in_(j)into the permutation block 86. The permutation block 86 permutes thesevalues to the corresponding outputs indicated by the selection mappingσ.

FIG. 6 shows a selection block 90 S_(v) ^(u≧v) that incorporates atruncated permutation block 92 TP_(v) ^(u≧v), Y switching blocks 94, anda permutation block 96 P_(v) ^(v). This selection block 90 is suited foruse as selection block 30 of UC 20. Each output of block 92, except forthe 1^(st) output which is coupled directly as an input to block 96, iscoupled as one input of one of the respective Y switches 94. The otherinput to the Y switches is connected to the output of the preceding Yswitch (viewed from left to right in FIG. 6). There are (v−1) of the Yswitches. The output of each Y switch is coupled as an input topermutation block 96 P_(v) ^(v).

The truncated permutation block 92 permutes a subset of v of the uinputs to the v≦u outputs. The remaining u−v input values are discarded.An input mapping, expressed as a u×v matrix, specifies that the i-thinput should be mapped to the μ_(i)-th distinct output. An outputmapping (μ_(i))_(i=1) ^(v), μ_(i) is in the set of {1, . . . , u}, suchthat for all j≠i: u_(i)≠u_(j) selects the μ_(i)-th input as the i-thsoutput. The truncated permutation block computes TP(in₁, . . . ,in_(u))=(in_(μ1), . . . , in_(μv)). The truncated permutation block 92is recursively constructed. It is assumed that u and v are even at eachrecursion step (otherwise an unused dummy input or output with smalloverhead can be introduced). The truncated selection block of FIG. 6 canbe constructed and programmed analogously to the expanded selectionblock of FIG. 5, but using the truncated permutation block 92 instead ofthe expanded permutation block 82.

FIG. 7 is a block diagram of another exemplary selection block 100representing an optimization the expanded selection block 80 of FIG. 5.In this example the selection block 100 is based on selection block 80S_(v≧u) ^(u) constructed for the case where v=2u which may be frequentlyused in the recursive construction of the universal block 28. Comparingthe selection block 100 to selection block 80, the expanded permutationblock 82 of selection block 80 is replaced with a smaller permutationblock 102 of P_(u) ^(u), and a different arrangement of Y switchingblocks 104, 106 is used instead of Y switching blocks 84.

Permutation block 102 together with the Y blocks 104, 106 can output theselected values of x (with the correct number of duplicates) in someorder as outputs Y₁ . . . Y_(2u) coupled to permutation block 108.Arranging the outputs Y₁ . . . Y_(2u) into the desired order of out₁, .. . out_(2u) is the responsibility of permutation block 108. Thepermutation block 102 is programmed to deliver any input in_(i) to anyY-layer input x_(j) not already used by another input. For example, ifinput in_(i) needs to be duplicated c_(i) times, this can be achieved byprogramming the permutation to map in_(i) to x_(j), and have blocksY_(j) through Y_(j+c−1) to output x_(j). Thus way, the value of in_(i)would be duplicated c_(i) times. To enhance efficiency, the wiring ofthe Y-layer is limited. In particular, input x_(i) is delivered only toblocks Y_(i) and Y_(2u−i+1), which are in a column i. From there, x_(i)can be propagated “to the right” from Y_(i) (i.e. to blocks Y_(i+1), . .. , in the lower row 104) and/or “to the left” from Y_(2u−i+1) (i.e. toblocks Y_(2u−i+2), . . . , in the upper row 106). Note, blocks Y₁ andY_(2u−i+1) cannot receive different inputs from P_(u) ^(u) 102. However,blocks Y_(i) and Y_(2u−i+1) can produce different outputs, since one orboth of them could be programmed to propagate the value of theirneighboring Y block. This structure permits the Y-layer to beprogrammed, and the inputs in₁ . . . in_(u) to be permuted such that theY-layer provides the desired number of duplicates for each input.

Specifically, the Y-layer is programmed as follows. For the i-th of uinputs of the selection block, let c_(i) (0<=c_(i)<=u) be the number ofduplicates of that input to be produced by the Y lawyer. View theY-layer as consisting of two rows (upper and lower), as depicted on FIG.7. Due to the limited wiring, the Y-layer generates duplicates in asequence. View each sequence of duplicates to be produced by the Y-layeras a “box” of size c_(i) to be placed in either upper or lower row.

Programming of the Y-layer is performed by first fitting the boxes ofduplicates in the rows of the Y-layer (Algorithm 1 below). Then each Yblock is programmed to implement input propagation according to the boxlayout.

Algorithm 1 (Box-packing) 0. Each box is always put in the leftmostunoccupied slots in the specified row. 1. Sort boxes by size c_(i) inincreasing order. 2. While there is at least one box of size 1, do a) ifthere are at least two boxes of minimal sizes s2 >= s1 >= 2 left i. putthe box of size s1 in the upper row ii. put remaining (but no more thans1-2) boxes of size 1 in lower row iii. put the box of size s2 in thelower row (possibly wrap around iv. put remaining (but no more thans2-2) boxes of size 1 in upper row b) else i. put the remaining boxes ofsize 1 in the lower row ii. put the box of size s1 >= 2 in the lower rowand wrap around 3. While there is at least one box of minimal size s3 >=2 left, do a) if there is another box of minimal size s4 >= s3 >= 2 lefti. put the box of size s3 in the upper row ii. put the box of size s4 inthe lower row (possibly wrap around) b) else i. put the box of sizes3 >= 2 in the lower row and wrap aroundThe permutation block 102 is then programmed to deliver thecorresponding inputs to the beginning of each corresponding box in theY-layer. The Y-layer, programmed as above creates the right numbers ofduplicates, and the permutation block 108 is programmed to deliver each(duplicated) value to its intended destination.

A computing system 118, suitable for implementing a UC in accordancewith the present invention, includes a microprocessor 120 that performsprocesses and tasks based on stored program instructions. It issupported by read-only memory (ROM) 122, random access memory (RAM) 124and nonvolatile data storage device 126. As will be understood by thoseskilled in the art, data and stored program instructions in ROM 122 istypically utilized by microprocessor 120 to initialize and boot thecomputing apparatus. An application program, e.g. a program thatcontrols the implementation of the UC including programming ofindividual block in the UC, can be stored in nonvolatile storage element126. At least active portions of the application program will betypically stored in RAM 124 for ready access and processing bymicroprocessor 120. A variety of user inputs 130 such as a keyboard,keypad, and mouse can be utilized to input instructions to control theUC structure and its programming. User output devices 132 such as adisplay screen and/or printer provide a visual output, e.g. characters,that represent either information input by the user or informationassociated with an interim or final output of the UC. An input/output(I/O) module 108 provides a communication interface permittingmicroprocessor 120 to transmit and receive data with external nodes.Software that provides circuit emulations including different types ofgates is known in general. Such software can be utilized to constructUCs in accordance with the described embodiments of the presentinvention.

Although exemplary implementations of the invention have been depictedand described in detail herein, it will be apparent to those skilled inthe art that various modifications, additions, substitutions, and thelike can be made without departing from the spirit of the invention. Forexample, the functions associated with the illustrative permutationmodules, Y blocks, selection modules and UCs could be implemented inhardware circuits as well as in software although the latter facilitateseasily changing the blocks or arrangement of blocks to produce adifferent corresponding function.

The scope of the invention is defined in the following claims.

1. A method for implementing a universal circuit capable of emulatingeach gate of a circuit designed to calculate a function having u inputs,the method comprising the steps of receiving the u inputs by a firstselection module; generating by the first selection module 2k outputsthat are an ordered series of the u inputs, where u and 2k are integersand 2k≧u; receiving the 2k outputs of the selection module as inputs bya universal module; generating by the universal module k outputs basedon the 2k inputs from the selection module; receiving the k outputs fromthe universal module as inputs by a second selection module; generatingv outputs by the second selection module that are an ordered series ofthe k inputs from the universal module, where k and v are integers andk≧v.
 2. The method of claim 1 wherein the step of generating by thefirst selection module of the 2k outputs comprises the steps of:receiving the u inputs by a first permutation module that produces routputs being an ordered series of the u inputs, where r≧u; each of ther outputs being coupled to one of two inputs of corresponding Yswitching gates each having an s output to which one of its two inputsis coupled, where the s output of a Y_(i) gate is coupled to the otherinput of a Y_(i+1) gate; receiving the s outputs as respective inputs bya second permutation module that produces 2k outputs being an orderedseries of the s inputs.
 3. The method of claim 2 wherein s=2k.
 4. Themethod of claim 1 wherein the step of generating by the second selectionmodule of the v outputs comprises the steps of receiving the k inputs bya first permutation module that produces r outputs being an orderedseries of the k inputs, where r≦k; each of the r outputs being coupledto one of two inputs of corresponding Y switching gates each having an soutput to which one of its two inputs is coupled, where the s output ofa Y_(i) gate is coupled to the other input of a Y_(i+1) gate; receivingthe s outputs as respective inputs by a second permutation module thatproduces v outputs being an ordered series of the s inputs.
 5. Themethod of claim 4 wherein s=v.
 6. The method of claim 1 wherein the stepof generating by the first selection module of the 2k outputs comprisesthe steps of: receiving the u inputs by a first permutation module thatproduces r outputs being an ordered series of the u inputs, where r=u;each of the r outputs being coupled to one of two inputs of one Y_(i)switching gate, where 1<i≦r, in a first series of (r-1) Y switchinggates, each of the r outputs also being coupled to one of two inputs ofone Y_(j) switching gate, where r<j≦2r, in a second series of r numberof Y switching gates, each Y switching gate in the first and secondseries having an s output to which one of its two inputs is coupled,where the s output of a Y switching gate is coupled to the other inputof a next Y switching gate; receiving the s outputs as respective inputsby a second permutation module that produces 2k outputs being an orderedseries of the s inputs.
 7. The method of claim 1 wherein the step ofgenerating by the universal module k outputs based on the 2k inputscomprises the steps of: receiving a first half of the 2k inputs by auniversal module UC1; generating first set of outputs m by the universalmodule UC1 based on the first half of the 2k inputs, where m=k/2, the moutputs representing a first half of the k outputs; receiving themoutputs as inputs by a selection module S1; generating a set of outputsn by the selection module S1 based on the m inputs; receiving a secondhalf of the 2k inputs by a mixing module, also receiving the n outputsas inputs by the mixing module, the mixing module having n number of Yswitching gates with each of the latter having two inputs and an outputto which one of its two inputs is coupled, one input of the Y switchinggates receiving one of the second half of the 2k inputs and the other ofthe Y switching gates receiving one of the n outputs; generating a setof outputs p by the mixing module where each p output is selected to beone of the two inputs to each Y switching gate; receiving the p outputsas inputs q by a selection module S2; generating a set of outputs by theselection module S2 based on the q inputs, the outputs by the selectionmodule S2 representing a second half of the k outputs.
 8. A method forimplementing a selection module for use in constructing a universalcircuit comprises the steps of receiving u inputs by a first permutationmodule that produces r outputs being an ordered series of the u inputs,where r≧u; each of the r outputs being coupled to one of two inputs ofcorresponding Y switching gates in a series of Y switching gates, each Yswitching gate having an s output to which one of its two inputs iscoupled, where the s output of one Y switching gate is coupled to theother input of a next Y gate in the series of Y switching gates;receiving the s outputs as respective inputs by a second permutationmodule that produces 2k outputs being an ordered series of the s inputs.9. The method of claim 8 wherein s=2k.
 10. A method for implementing aselection module for use in constructing a universal circuit comprisesthe steps of receiving k inputs by a first permutation module thatproduces r outputs being an ordered series of the k inputs, where r≦k;each of the r outputs being coupled to one of two inputs ofcorresponding Y switching gates in a series of Y switching gates, each Yswitching gate having an s output to which one of its two inputs iscoupled, where the s output of one Y switching gate is coupled to theother input of a next Y gate in the series of Y switching gates;receiving the s outputs as respective inputs by a second permutationmodule that produces v outputs being an ordered series of the s inputs.11. The method of claim 10 wherein s=v.
 12. A method for implementing aselection module for use in constructing a universal circuit comprisesthe steps of receiving u inputs by a first permutation module thatproduces r outputs being an ordered series of the u inputs, where r=u;each of the r outputs being coupled to one of two inputs of one Y_(i)switching gate, where 1<i≦r, in a first series of (r-1) Y switchinggates, each of the r outputs also being coupled to one of two inputs ofone Y_(j) switching gate, where r≦j≦2r, in a second series of r numberof Y switching gates, each Y switching gate in the first and secondseries having an s output which is one of its two inputs, where the soutput of a Y switching gate is coupled to the other input of a next Yswitching gate; receiving the s outputs as respective inputs by a secondpermutation module that produces 2k outputs being an ordered series ofthe s inputs.